undefined | Better HN

0 pointsrst8y ago0 comments

To some of us, the "sprawling throw-it-over-the-wall approach to development" is the problem. Particularly when they decide to reimplement services instead of using battle-hardened code, and revive old bugs that haven't been seen in the wild in years. As has happened with their DNS resolver, which was initially shipped missing measures that everyone else had shipped years ago to deter cache poisoning, and had buffer overflow problems on top of that.

There are not fundamental design flaws. They don't have to be, to be a problem. And it's a problem exacerbated by the developers' typical response to problem reports -- to try to transfer blame, or treat them as personal attacks, rather than dealing with the issue. An example of that is CVE-2017-1000082 -- a rare example of a real problem that was assigned a CVE number by request of someone other than the developer, because the developers are still insisting, after a week of well-deserved mockery, that it's not a problem (or not their problem, or something)...

Refs:

Buffer overflow: https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dn...

Cache poisoning: http://seclists.org/oss-sec/2014/q4/592

0 comments

5 comments · 2 top-level

KirinDave8y ago· 2 in thread

"Battle-hardened" code is a myth. Please do not appeal to it. Either you're doing the hard work for security or you aren't.

You do not need to experience a breach in advance to have a hope of stopping a breach.

Besides, if people cared about security they'd use tools and languages and runtimes that help them test thst code works right. They don't, by and large.

echaozh8y ago

Hey, systemd has to be shipped when it's immature because you need users to try it out and help catch all the bugs and insecurities. Now you say battle hardened code is a myth.

Sure, people should audit their own tools, but there are also casual users. And there are indirect users. They are entitled to enjoy the better (if not perfect) security provided by battle hardened code.

KirinDave8y ago

I'm not sure why you're attributing that argument to me, but please don't fall into the habit of merging all the people who disagree with you in a thread into some kind of intellectual chimera.

I've even said above I agree with criticisms that systemd didn't plan and was deployed too early and too fast.

jwilk8y ago· 1 in thread

> CVE-2017-1000082

This was discussed here: http://www.openwall.com/lists/oss-security/2017/07/02/1

> a rare example of a real problem that was assigned a CVE number by request of someone other than the developer

It's fairly common that the security researcher requests CVE. CVE request by an affected distro (which is what happened here) isn't anything unusual either.

JdeBP8y ago

It was discussed a whole lot more in these places:

* https://github.com/systemd/systemd/pull/6300

* https://github.com/systemd/systemd/issues/6277 (https://news.ycombinator.com/item?id=14681377)

* https://lists.freedesktop.org/archives/systemd-devel/2017-Ju...

* https://news.ycombinator.com/item?id=14682210

j / k navigate · click thread line to collapse